jfrog

SUSPICIOUS. The install path for the Membrane CLI appears legitimate and official, but the skill's actual footprint routes JFrog authentication and API traffic through Membrane instead of the official JFrog API directly. That third-party credential handling and proxying are inconsistent enough with a plain JFrog integration to raise medium risk, though there is no clear evidence of outright malware or obfuscation.